Heads up, Zoom users! The screen-sharing feature of the Zoom app has a glitch that may inadvertently leak your sensitive information to others. What’s worst is that the app still lacks a fix despite bug disclosure.
Zoom Screen-Sharing Glitch
Researchers from SySS, Michael Strametz and Matthias Deeg, have found a serious security problem in the video-conferencing app Zoom.
Specifically, they found a glitch in the screen-sharing feature of Zoom that may potentially expose sensitive user information.
Describing the glitch in an advisory, SySS stated,
When a Zoom user shares a specific application window via the “share screen” functionality, other meeting participants can briefly see contents of other application windows which were not explicitly shared.
The contents of not shared application windows can, for instance, be seen for a short period of time by other users when those windows overlay the shared application window and get into focus.
Depending on the unintentionally shared data, this short exposure of screen contents may be a more or less severe security issue.
Although, the glitch apparently seems harmless as the unintentional information exposure happens for a brief period only.
However, it may become a serious issue if the other user(s) use a screen-recording tool during the conferences. This will allow retrieving that accidentally exposed information after accessing the video recordings.
No Patch Yet
The researchers have presented the PoC for this vulnerability (CVE-2021-28133) in the following video.
They could easily find this flaw in both Windows and Linux Zoom clients versions 5.4.3 (54779.1115) and 5.5.4 (13142.0301).
Upon discovering the flaw, they reached out to the Zoom team to report the bug in December 2020. While Zoom acknowledged the vulnerability within the same month, they haven’t released a fix for it yet. Nonetheless, they have assured to be working on it.
Therefore, until a fix is available, Zoom users should remain very careful while sharing screens during video-conferencing. If users need to share screens, they should avoid opening any other app at the same time that they do not intend to share with participants.